Disney+ Plagued by Credential Stuffing

by Sarah Harvey / November 20th, 2019

Streaming services like Netflix, Hulu, HBO Now, and Prime Video have revolutionized the way people consume television and movies – and Disney is the latest company to join the craze with its newly-released and much-anticipated Disney+ streaming service. With more than 10 million users creating accounts within the first day the service was rolled out, Disney had to be aware of the extreme cyber threats facing the streaming service. After all, to sign up for the streaming service, users must input their name, email address, phone number, address, and payment card information. In other words, the anticipation of the rollout of the streaming service coupled with the kind of data Disney+ required to set up an account created the perfect breeding ground for malicious hackers to steal data and make a quick profit.

Disney+ Security Incident: What Really Happened?

Within just a few hours from the rollout of the newest streaming service, Disney+ users reported experiencing technical issues including being forced out of their accounts and having their email addresses and passwords changed. Shortly after, ZDNet reported that hackers were selling Disney+ accounts on the dark web from $3 to $11. In response to the backlash, Disney says it takes the privacy and security of users’ data very seriously, “and there is no indication of a security breach on Disney+.” They contend that those accounts impacted by the security incident were due to users recycling old usernames and passwords that were likely stolen during a separate data breach; however, some users have said that they used unique usernames and passwords for their Disney+ account and still got hacked. This points to two key takeaways: preparing your organization against cyber threats and the need to understand the dangers of credential stuffing.

Preparing for a Rollout

Preparing a product or service for market is a lengthy process – and one that can be greatly impacted if security is not ingrained in the creation of that product or service. When an organization, especially an enterprise-level organization like Disney, debuts a product or service that fails to secure the data of its customers, there’s a lot at stake. To prepare your organization against advancing cyber threats, organizations would be wise to start with the following:

Identify Key Assets: What data do you collect? Why? Where is it kept? How is it protected?
Conduct a Risk Assessment: Identify and rank the risks to your organization, determine ways to mitigate those risks, and implement new processes.
Establish an Incident Response Plan: Malicious hackers are on the prowl. You should assume that you’ll experience a security incident at any given time. Make sure you have a thorough and tested incident response plan, so you’re prepared for when not if a data breach occurs.

The Dangers of Credential Stuffing: Users Beware

According to KirkpatrickPrice Director of Audit Delivery, Richard Rieben, the Disney+ breach isn’t a breach of Disney’s infrastructure. Instead, it’s a credential stuffing attack. Why is this attack method so effective for big media companies? In their State of the Internet/Security – Credential Stuffing report, Akamai explains, “The media, gaming, and entertainment industries are prized targets for criminals who are looking to trade in stolen information and access. The accounts are sold in bulk, and the goal for the criminals is to move their goods by volume, rather than single account sales.” Rieben explains, “Password management is key here. If you reuse usernames and passwords across multiple platforms, and then one platform experiences a breach, anywhere you used that email/password combination is now susceptible to attack and account compromise.” What can users do to prevent falling victim to credential stuffing attacks? It’s simple: use unique usernames and passwords, and consider following these password best practices. Companies like Disney, on the other hand, can help their customers avoid falling victim to credential stuffing attacks by implementing security controls like multi-factor authentication.

While it’s too early to tell the impact of this security incident, Disney+’s nightmare debut offers valuable insight into the dangers of credential stuffing. If your organization is planning on debuting a new product or service, let us help you ensure its security. Contact us today to get started.